domainkey selector too long?

[luca_2186]

I have an odd problem with my zimbra mail server.
I run Zimbra 8.8.9 colaboration on Ubuntu server 16.04.
I have noticed that the dkim validation of email sent from my domains to my domains fails becouse of DNS SERVFAIL due to timeout queryng the domainkey.
So I have tried to query the domainkey with dig trought various public dns from my mail server and effectively i have allways a timeout.
So I have tried the same query from another ubuntu server on another network and from and uninvention server and I still had the same result.
If I run the same query from centos server or any windows server (nslookup) i get the correct answer from dns servers.
Do you have the same problem?
How can I fix this?
Is it possible to generate a shorter domainkey selector in zimbra as workaround?

EDIT:
it seems that the problem happen only to machines behind a cisco asa 5510 firewall and that it is sistem indipendent. But also by disabling the firewall the problem persist

EDIT2:
I'm sorry, I forgot to mention that by querying a dns record that is shorter than those generated by zimbra everything works properly from any machine

[L. Mark Stone]

Sounds like your domain's DNS servers are taking too long to respond to queries.

Maybe I'm not fully understanding the issue?

[luca_2186]

I have found the problem by analizing the firewall log.
By default the max allowed upd packet size in dns reply is 512 byte and i had to rise this value to make all things works.
The value of 512 bytes seems to be a common default value in many firewall becuse it is RFC 1035 standard.
It seems that the selectors generated by zimbra, due to their lenght, generates an answer of 518 bytes (I haven't really understood how those things are related).
I think that this is an important thing to know becouse probably many mail server that use a firewall may fail dmarc authentication for mails coming from a zimbra server for this reason.
Zimbra devlopers should consider seriously to change the lenght of the domainkey selector.
How can I change the selector manually?

[ccelis5215]

I have found the problem by analizing the firewall log.
By default the max allowed upd packet size in dns reply is 512 byte and i had to rise this value to make all things works.
The value of 512 bytes seems to be a common default value in many firewall becuse it is RFC 1035 standard.
It seems that the selectors generated by zimbra, due to their lenght, generates an answer of 518 bytes (I haven't really understood how those things are related).
I think that this is an important thing to know becouse probably many mail server that use a firewall may fail dmarc authentication for mails coming from a zimbra server for this reason.
Zimbra devlopers should consider seriously to change the lenght of the domainkey selector.
How can I change the selector manually?

Try

Code: Select all

/opt/zimbra/libexec/zmdkimkeyutil -a -s yourselectsor -d domain.com 

to change selector.

ccelis

[luca_2186]

Try

Code: Select all

/opt/zimbra/libexec/zmdkimkeyutil -a -s yourselectsor -d domain.com 

to change selector.

Thanks, but -a will also change the key pair, isn't there and easy way to change only the selector?

[ccelis5215]

Try

Code: Select all

/opt/zimbra/libexec/zmdkimkeyutil -a -s yourselectsor -d domain.com 

to change selector.

Thanks, but -a will also change the key pair, isn't there and easy way to change only the selector?

Code: Select all

/opt/zimbra/libexec/zmdkimkeyutil -u -s newselector -d domain.com

to change domain selector and upgrade value.

ccelis

[luca_2186]

Code: Select all

/opt/zimbra/libexec/zmdkimkeyutil -u -s newselector -d domain.com

to change domain selector and upgrade value.

Unfortunately this command changed also the kay pair, not really a problem but in this way i had to change the public key in while the mail server still sending email expecting new key is already up